Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Size: px
Start display at page:

Download "Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization"

Transcription

1 Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

2 Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements that increase cost, introduce friction into the business processes, and have little or no payback. Introduction of multiple standards and an increasingly complex regulatory environment has disrupted IT Governance focus on improving process efficiencies Limited awareness of unified mapping of new standards and requirements has resulted in duplication of efforts Shifts in technology usage, such as the use of Cloud Computing, has introduced new risks to businesses and introduced uncertainty on how to mitigate these risks while continuing to meet new requirements Source: Gartner Research 1

3 Pressures on Business Today Uncertainty Increased Boards & Executives Accountability Liability Multiple Diverse Risks Modern Enterprise Spiraling Compliance Costs Speed Variability Globalization 2

4 Governance Requirements Common Elements and Challenges 3

5 Governance Requirements Understand the external and internal governance expectations of IT, and the common controls and objectives. Legislative & Mandated SOX HIPAA/HITECH PCI NIST Red Flag Rules ediscovery External & nonmandated ISO 27001/2 SLA HITRUST COSO COBIT Internal SAS 70 Internal SLAs Business Continuity Customer Requirements 4

6 Governance Requirements ISO Compliance Examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts Requires the organization to design and implement a coherent and comprehensive suite of information security controls Brings information security under explicit management control PCI Compliance Prevents credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information SOX Established corporate governance standards for public companies. Placed responsibility on boards of directors, CEOs and CFOs to design and implement appropriate corporate governance processes. 5

7 Governance Requirements HIPAA/HITECH Outlines information security requirements for health information systems and exchanges. Established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. The CSF harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). Business Continuity Prepares an organization to respond to events that disrupt normal and on-going operations. Risk management is an essential element of business continuity. and many more 6

8 7

9 Governance Requirements Typical Challenges Managed in silos Mostly reactionary projects Handled separately from mainstream processes and decision making Humans utilized as middleware leading to Greater risks More complexity Lower confidence Higher cost Limited and fragmented use of technology 8

10 Governance Requirements Common Elements - One Framework, Multiple Standards Compliance frameworks have been developed to simultaneously cover a wide range of standards: ISACA COBIT ISACA has and continues to invest efforts in mapping COBIT framework with ISO/IEC 27002, SOX, etc. to improve control environment efficiencies. Unified Compliance Framework (UCF) One of the first and largest independent initiatives to map IT controls across international regulations, standards, and best practices. HITRUST Common Security Framework (CSF) Unifies all targeted frameworks and standards (COBIT, ISO, PCI, HIPAA, etc.) relevant to health care. Many portions of the framework can also aid non-health care related organizations. 9

11 What is HITRUST? Executive Committee The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of the broad adoption of health information systems and exchanges. Industry-based collaboration among healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. The CSF is an information security framework that harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry. Beyond the establishment of the CSF, HITRUST is also driving adoption and widespread confidence in the framework and sound risk management practices through education, advocacy and other outreach activities. Ultimately, an organization's adoption of the CSF will establish confidence in its ability to ensure the security of personal health information.

12 Governance Requirements Common Elements - One Framework, Multiple Standards The HITRUST Common Security Framework (CSF) provides a valuable method to assess the security controls in a healthcare environment and provide a path for continuous improvement. Because it was developed leveraging multiple security standards and regulations, the model provides a convenient single model to leverage for many of your security governance requirements. COBIT COBIT ISO 27001/2 ISO 27001/2 HITECH Act HIPAA Security PCI HITECH Act HITRUST CSF HIPAA Security PCI Meaningful Use NIST States Meaningful Use NIST States 11

13 HITRUST Common Security Framework (CSF) The HITRUST Common Security Framework is a viable alternative to developing a custom framework HITRUST unifies all targeted frameworks and standards relevant to health care HITRUST is constantly revised to ensure currency and relevance Control practices tailored to the health care environment Self-assessment criteria for control and supporting control practice compliance 2009 HITRUST LLC, Frisco, TX. All Rights Reserved. 12

14 13 Governance Framework

15 IT Governance vs. Compliance Productivity IT Governance Policy Do it right Strategy Value Defining Standards IT Processes Val IT ITIL ISO Best Practices Process Do it better Performance Value Adding Risk Management CobiT Operation Risk Mgmt IT Security IT Risk Mgmt Control Objectives (statements) Do it to protect Mitigation Value Preserving Controls Practices Compliance Sox Banking Regs National Regs Other Regs Do it or else Check & Balance Transparency Regulation Reporting & Metrics 14

16 The Protiviti Governance Model The value of effective governance is improved business performance and outcomes. Effective IT governance aids in addressing and mitigating some of the overall risks faced by an organization By implementing effective governance practices mechanisms are established for IT to: Understand and manage all ITrelated risks Optimize returns on IT-related business investments Deliver value from IT expenditure Maximize opportunities for business use of IT Provide appropriate IT capabilities Address legal and regulatory compliance Provide transparency and assurance that IT objectives are being achieved 15

17 Envisioning the Future State IT Governance is defined as the ability for the enterprise s IT function to sustain and extend the organization s strategies and objectives. Understand & Scope Identify your organization s internal & external requirements. Establish Desired Structure Assess Business and IT strategy to determine the proper alignment of business activities and controls. Determine Existing Capabilities Evaluate the existing formal and informal management practices within IT. Assess how these align with the desired structure of the governance program. Create Plan to Enhance Existing Processes & Controls Create a plan to enhance and formalize existing management processes. Sustain Measure process throughput via KPIs, monitor process performance and identify workflow constraints. 16

18 Common Governance Implementation Strategy Security Policy & Program Security Strategy & Architecture Security Implementation & Deployment Security Metrics Incident Response Awareness & Training Infrastructure Vulnerability Application Vulnerability Network Vulnerability Database Vulnerability Program Policy Standards Alignment Metrics Awareness Training Strength Servers Network Application Database ID Mgmt Policy Implementation SSO, RBAC Federation Trusted Credentials Open Identities Data Centric Discovery Classification Data Leakage Encryption Privacy Compliance PCI, HITRUST Vendor Mgmt Access Mgmt Policy & Standards IDAM Design & Implementation Identity Credential Selection Services Identity Federation Strategy & Implementation Data Classification Data Leakage Services Encryption & Storage Strategy & Implementation Privacy Management & Implementation PCI Planning, Readiness & Compliance HITRUST Planning, Readiness & Compliance Other Data Compliance Vendor Due Diligence Other Data Security & Privacy Management 17

19 Envisioning the Future State What IT processes will be impacted: Determine the processes that will influence IT s new KPIs? - Security Administration - Asset Management - Project Management - Security Monitoring - Incident Management What is to be measured: Your specific control requirements must be integrated into existing management processes. Consider what KPIs are needed to measure compliance? Process Performance? Resource productivity? Establish an organizational structure and performance expectations that support the objectives How can our KPIs be categorized into how IT manages demand and service? 18

20 19

21 Future State Outcomes Organizational Transparency Ongoing collaboration with the entire organization to determine current compliance requirements, overlaps amongst these requirements, and opportunities for control consolidation to improve efficiencies. Communication on a regular basis between IT teams to maintain standardized processes Integration, Streamlined Processes, and Common Dialog Understanding business needs, the current IT landscape including people, processes, and technology, and the required future state Development of solid risk management strategies capable of identifying high-risk processes and control requirements to mitigate these risks Integration and standardization of activities among the entire IT team from Help Desk to Infrastructure Support 20

22 Future State Outcomes Integration, Streamlined Processes, and Common Dialog (continued) Proactive monitoring of Public Policy and the current Regulatory Environment in order to meet new and existing regulatory requirements Automation of compliance efforts through Governance, Risk, and Compliance platforms Security and Resource Efficiencies Controls driven by business process vs. compliance Improvement in security and monitoring from streamlined control sets Increased resource efficiencies and cost savings through effectively defined roles 21

23 Summary Identify and assess all of your external and internal governance requirements. Build a single common control framework specific to your organization leverage existing frameworks as a starting point. Determine the KPIs that could be used to measure adherence. Identify the IT management processes that influence your control and KPI requirements. Determine how you can formalize and enhance those existing processes. Build sustainability through active management, link performance objectives to organizational objectives. Compliance should be a byproduct of a good governance process 22

24 Contact Us For additional information or to receive a copy of this slide deck, please contact the presentation team: Timothy Maloney Darren Jones Powerful Insights. Proven Delivery. One PPG Place, Suite 2350 Pittsburgh, PA Direct: Mobile: Fax: Powerful Insights. Proven Delivery. One PPG Place, Suite 2350 Pittsburgh, PA Direct: Mobile: Fax:

25 24

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview

More information

Sensitive Data Management: Current Trends in HIPAA and HITRUST

Sensitive Data Management: Current Trends in HIPAA and HITRUST Sensitive Data Management: Current Trends in HIPAA and HITRUST Presented by, Cal Slemp Managing Director, New York, NY June 12, 2012 Speaker Presenter Topic Objective Cal Slemp Managing Director, New York

More information

HIPAA and HITRUST - FAQ

HIPAA and HITRUST - FAQ A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are

More information

What can HITRUST do for me?

What can HITRUST do for me? What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction

More information

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related

More information

XBRL & GRC Future opportunities?

XBRL & GRC Future opportunities? XBRL & GRC Future opportunities? Suzanne Janse Deloitte NL Paul Hulst Deloitte / Said Tabet EMC Presenters Suzanne Janse Deloitte Netherlands Director ERP (SAP, Oracle) Risk Management GRC software Paul

More information

igrc: Intelligent Governance, Risk, and Compliance White Paper

igrc: Intelligent Governance, Risk, and Compliance White Paper igrc: Intelligent Governance, Risk, and Compliance White Paper 2013 2013 Edgile, Inc. All Rights Reserved Executive Overview This whitepaper discusses the business needs addressed by Edgile s igrc solution,

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

MU Security & Privacy Risk Assessments: What It Is & How to Approach It

MU Security & Privacy Risk Assessments: What It Is & How to Approach It MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Advisor, Health Information Trust Alliance 2011-2014 HITRUST LLC, Frisco,

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE 1 IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE ANSWERS AND PRACTICAL TIPS FROM THE IT GOVERNANCE AUDIT PROFESSIONALS JOHAN LIDROS, PRESIDENT EMINERE GROUP KATE MULLIN, CISO, HEALTH

More information

Achieving Business Imperatives through IT Governance and Risk

Achieving Business Imperatives through IT Governance and Risk IBM Global Technology Services Achieving Business Imperatives through IT Governance and Risk Peter Stremus Internet Security Systems, an IBM Company Introduction : Compliance Value Over the past 15 years

More information

Can CA Information Governance help us protect and manage our information throughout its life cycle and reduce our risk exposure?

Can CA Information Governance help us protect and manage our information throughout its life cycle and reduce our risk exposure? SOLUTION BRIEF: CA INFORMATION GOVERNANCE Can CA Information Governance help us protect and manage our information throughout its life cycle and reduce our risk exposure? CA Information Governance delivers

More information

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma IT Governance, Risk and Compliance (GRC) : A Strategic Priority Joerg Asma Agenda Introductions An Overview of IT Governance Risk & Compliance (IT-GRC) The Value Proposition Implementing an IT-GRC Program

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare Perspectives on Navigating the Challenges of Cybersecurity in Healthcare May 2015 1 Agenda 1. Why the Healthcare Industry Established HITRUST 2. What We Are and What We Do 3. How We Can Help Health Plans

More information

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enabling Reliable eservices Tawfiq F. Alrushaid Saudi Aramco Agenda GRC Overview IT GRC Introduction IT Governance IT Risk Management IT

More information

GRC Stack Research Sponsorship

GRC Stack Research Sponsorship GRC Stack Research Sponsorship Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary

More information

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC Welcome to Modulo Risk Manager Next Generation Solutions for GRC THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS

More information

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014 IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security

More information

Information Technology Auditing for Non-IT Specialist

Information Technology Auditing for Non-IT Specialist Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating

More information

MU Security & Privacy Risk Assessments: What It Is & How to Approach It

MU Security & Privacy Risk Assessments: What It Is & How to Approach It MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, ASEP, CCSFP CISO & VP, CSF Development & Implementation Health Information Trust Alliance

More information

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive

More information

Project Management and ITIL Transitions

Project Management and ITIL Transitions Project Management and ITIL Transitions April 30 th 2012 Linda Budiman Director CSC 1 Agenda Thought Leadership: Linda Budiman What is ITIL & Project Management: Applied to Transitions Challenges & Successes:

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Balancing Compliance and Operational Security Demands

Balancing Compliance and Operational Security Demands SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

Managing Amazon Web Services within a Hybrid IT model

Managing Amazon Web Services within a Hybrid IT model Managing Amazon Web Services within a Hybrid IT model The last few years have seen revolutionary changes to IT operations as technology infrastructure has been transformed through virtualisation, and the

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance RSA Security and Accenture February 26, 2004 9:00 AM Agenda Laura Robinson, Industry Analyst, RSA Security Definition of

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection Understanding Compliance vs. Risk-based Information Protection 1 Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection Why risk analysis is crucial to HIPAA compliance and

More information

Consolidated Audit Program (CAP) A multi-compliance approach

Consolidated Audit Program (CAP) A multi-compliance approach Consolidated Audit Program (CAP) A multi-compliance approach ISSA CONFERENCE Carlos Pelaez, Director, Coalfire May 14, 2015 About Coalfire We help our clients recognize and control cybersecurity risk,

More information

Assessing & Managing IT Risk

Assessing & Managing IT Risk Assessing & Managing IT Risk ISACA Pittsburgh Chapter Meeting October 18, 2010 Agenda Introductions IT Risk Assessment An Approach That Makes Sense to IT Measuring Risk Determining Results Audit Planning

More information

Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework

Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework Introduction This presentation is intended to address how an organization can implement the HITRUST Risk Management

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Information Security Governance:

Information Security Governance: Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens

More information

Self-Service SOX Auditing With S3 Control

Self-Service SOX Auditing With S3 Control Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with

More information

Trends in Information Technology (IT) Auditing

Trends in Information Technology (IT) Auditing Trends in Information Technology (IT) Auditing Padma Kumar Audit Officer May 21, 2015 Discussion Topics Common and Emerging IT Risks Trends in IT Auditing IT Audit Frameworks & Standards IT Audit Plan

More information

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Well-Documented Controls Reduce Risk and Support Compliance Initiatives White Paper Risks Associated with Missing Documentation for Health Care Providers Well-Documented Controls Reduce Risk and Support Compliance Initiatives www.solutionary.com (866) 333-2133 Many Health

More information

CA Technologies Healthcare security solutions:

CA Technologies Healthcare security solutions: CA Technologies Healthcare security solutions: Protecting your organization, patients, and information agility made possible Healthcare industry imperatives Security, Privacy, and Compliance HITECH/HIPAA

More information

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO

More information

Department of Technology Services

Department of Technology Services Department of Technology Services 2016-2019 Strategic Plan DTS Dept. of Technology Services Utah Code 63F- 1-203 explicitly requires the Chief Information Officer (CIO) to prepare an executive branch strategic

More information

Cloud Computing are you ready?

Cloud Computing are you ready? Cloud Computing are you ready? Steven Krenz ITSM Practice Lead Agenda Introduction Presentation Topics The traditional Data Center: How it compares to The Cloud Cloud Computing and IT Service Management:

More information

Anypoint Platform Cloud Security and Compliance. Whitepaper

Anypoint Platform Cloud Security and Compliance. Whitepaper Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and

More information

I, (MR. TECHIE) GOT THE CISO JOB! SHOULD I PREPARE 3 ENVELOPES?

I, (MR. TECHIE) GOT THE CISO JOB! SHOULD I PREPARE 3 ENVELOPES? I, (MR. TECHIE) GOT THE CISO JOB! SHOULD I PREPARE 3 ENVELOPES? Todd Fitzgerald Director Global Information Security Information Security Management Author ManpowerGroup, Inc. (NYSE:MAN, Fortune 500 #129)

More information

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance

More information

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Enabling Compliance Requirements using ISMS Framework (ISO27001) Enabling Compliance Requirements using ISMS Framework (ISO27001) Shankar Subramaniyan Manager (GRC) Wipro Consulting Services Shankar.subramaniyan@wipro.com 10/21/09 1 Key Objectives Overview on ISO27001

More information

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

14 October 2015 ISACA Curaçao Conference By: Paul Helmich Governance, Risk & Compliance A practical approach 14 October 2015 ISACA Curaçao Conference By: Paul Helmich Topics today What is GRC? How much of all the GRC literature, tools, etc. do I need to study

More information

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

CYBERSECURITY: ISSUES AND ISACA S RESPONSE CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures Mobile devices Social media Cloud services

More information

IT Security & Compliance Risk Assessment Capabilities

IT Security & Compliance Risk Assessment Capabilities ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,

More information

Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry

Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry IT leaders are battening down the hatches, according to Protiviti s latest

More information

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services Managing Governance, Risk, and Compliance for Cloud Information Security Introduction Businesses today are

More information

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization

More information

Combine ITIL and COBIT to Meet Business Challenges

Combine ITIL and COBIT to Meet Business Challenges Combine ITIL and COBIT to Meet Business Challenges By Peter Hill, Director, IT Governance Network, and Ken Turbitt, Best Practices Director, BMC Software BEST PRACTICES WHITE PAPER Table of Contents ABSTRACT...

More information

Think like an MBA not a CISSP

Think like an MBA not a CISSP Think like an MBA not a CISSP Embracing University Culture to Achieve Security Initiatives' Matt Malone Security Services Director 512-650-0179 Matt.Malone@SLAITconsulting.com Goals Security is a business

More information

Cloud Computing An Auditor s Perspective

Cloud Computing An Auditor s Perspective Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013 IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013 Debbie Lew Agenda Review what is IT governance Review what is IT risk management A discussion of key IT risks to be aware of Page 2

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

So Why on Earth Would You WANT To be a CISO?

So Why on Earth Would You WANT To be a CISO? So Why on Earth Would You WANT To be a CISO? SESSION ID: PROF-M05A Todd Fitzgerald CISSP, CISA, CISM, CRISC, CGEIT, PMP, ISO27000, CIPP, CIPP/US, ITILV3f Global Director of Information Security Grant Thornton

More information

Adrian Lane Security Strategist Securosis.com

Adrian Lane Security Strategist Securosis.com Using SIEM for Compliance Adrian Lane Security Strategist Securosis.com Overview SIM/SEM Introduction Compliance Initiatives Implementation Examples Tips Other Considerations Evolution of Terminology SIM

More information

HITRUST. Risk Management Frameworks

HITRUST. Risk Management Frameworks Risk Management Frameworks How provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk in a healthcare

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security

More information

KEY TRENDS AND DRIVERS OF SECURITY

KEY TRENDS AND DRIVERS OF SECURITY CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6 to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized

More information

IT Audit in the Cloud

IT Audit in the Cloud IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust

More information

Securing Your Business with Managed File Transfer

Securing Your Business with Managed File Transfer Why FTP/SFTP Solutions Are No Longer a Viable Option www.stonebranch.com Executive Summary This white paper sets out to explain the importance of a Managed File Transfer solution implementation within

More information

Keeping watch over your best business interests.

Keeping watch over your best business interests. Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation

More information

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance enables enduser organizations and service providers to orchestrate and visualize the security of their

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief The RSA Solution for Cloud Security and Compliance A GRC foundation for VMware infrastructure security and compliance Solution Brief The RSA Solution for Cloud Security and Compliance enables end-user

More information

ITIL's IT Service Lifecycle - The Five New Silos of IT

ITIL's IT Service Lifecycle - The Five New Silos of IT The workable, practical guide to Do IT Yourself Vol. 4.01 January 1, 2008 ITIL's IT Service Lifecycle - The Five New Silos of IT By Rick Lemieux In my last article I spoke about IT s evolution from its

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

Hans Bos Microsoft Nederland. hans.bos@microsoft.com

Hans Bos Microsoft Nederland. hans.bos@microsoft.com Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party

More information

Implement a unified approach to service quality management.

Implement a unified approach to service quality management. Service quality management solutions To support your business objectives Implement a unified approach to service quality management. Highlights Deliver high-quality software applications that meet functional

More information

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber

More information

Cyber Security Solutions

Cyber Security Solutions Cyber Security Solutions Defending the Enterprise General Dynamics Information Technology defends mission-critical systems including government, health, finance, defence, large-enterprise and national

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

Accelerate Your Enterprise Private Cloud Initiative

Accelerate Your Enterprise Private Cloud Initiative Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service

More information

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff The Challenge IT Executives are challenged with issues around data, compliancy, regulation and making confident decisions on their business

More information

I. System Activities that Impact End User Privacy

I. System Activities that Impact End User Privacy I. System Activities that Impact End User Privacy A. The Information Life Cycle a. Manual processes i. Interaction ii. Data entry b. Systems i. Operating and file ii. Database iii. Applications iv. Network

More information

NEC Managed Security Services

NEC Managed Security Services NEC Managed Security Services www.necam.com/managedsecurity How do you know your company is protected? Are you keeping up with emerging threats? Are security incident investigations holding you back? Is

More information

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO

More information

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Automating policy enforcement to prevent endpoint data loss IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Highlights Protecting your business value from

More information